Skip to content

Commit

Permalink
fix: port #13348 to v3, fs.deny with leading double slash (#13349)
Browse files Browse the repository at this point in the history
  • Loading branch information
patak-dev authored May 26, 2023
1 parent f494760 commit 0574f80
Show file tree
Hide file tree
Showing 4 changed files with 38 additions and 3 deletions.
4 changes: 2 additions & 2 deletions packages/vite/src/node/server/middlewares/static.ts
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ export function serveStaticMiddleware(
return next()
}

const url = new URL(req.url!, 'http://example.com')
const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com')
const pathname = decodeURIComponent(url.pathname)

// apply aliases to static requests as well
Expand Down Expand Up @@ -125,7 +125,7 @@ export function serveRawFsMiddleware(

// Keep the named function. The name is visible in debug logs via `DEBUG=connect:dispatcher ...`
return function viteServeRawFsMiddleware(req, res, next) {
const url = new URL(req.url!, 'http://example.com')
const url = new URL(req.url!.replace(/^\/+/, '/'), 'http://example.com')
// In some cases (e.g. linked monorepos) files outside of root will
// reference assets that are also out of served root. In such cases
// the paths are rewritten to `/@fs/` prefixed paths and must be served by
Expand Down
1 change: 1 addition & 0 deletions playground/assets-sanitize/.env
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
KEY=unsafe
5 changes: 5 additions & 0 deletions playground/assets-sanitize/__tests__/assets-sanitize.spec.ts
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,8 @@ if (!isBuild) {
expect(Object.keys(manifest).length).toBe(3) // 2 svg, 1 index.js
})
}

test.runIf(!isBuild)('denied .env', async () => {
expect(await page.textContent('.unsafe-dotenv')).toBe('403')
expect(await page.textContent('.unsafe-dotenv-double-slash')).toBe('403')
})
31 changes: 30 additions & 1 deletion playground/assets-sanitize/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,35 @@
margin-bottom: 1rem;
}
</style>
<h1>test elements below should show circles and their url</h1>
<h3>test elements below should show circles and their url</h3>
<div class="test-el plus-circle"></div>
<div class="test-el underscore-circle"></div>

<h3>Denied .env</h3>
<div class="unsafe-dotenv"></div>
<div class="unsafe-dotenv-double-slash"></div>

<script type="module">
// .env, denied by default. See fs-serve playground for other fs tests
// these checks ensure that a project without a custom root respects fs.deny

fetch('/.env')
.then((r) => {
text('.unsafe-dotenv', r.status)
})
.catch((e) => {
console.error(e)
})

fetch(window.location + '/.env')
.then((r) => {
text('.unsafe-dotenv-double-slash', r.status)
})
.catch((e) => {
console.error(e)
})

function text(el, text) {
document.querySelector(el).textContent = text
}
</script>

0 comments on commit 0574f80

Please sign in to comment.